2025-12-25 21:02:04 +00:00
7 changed files with 22 additions and 32 deletions
--- a/config.global.example
+++ b/config.global.example
@ -36,8 +36,6 @@ ADMIN_BRIDGE=
 DFL_WAN_IP=192.168.1.101/24
 DFL_WAN_GATE=192.168.1.252

-DFL_WAN_SSH_IP:192.168.1.102/24
-

 # Doman and email configuration
 #
--- a/host/templates/pve/etc/firewall/cluster.fw
+++ b/host/templates/pve/etc/firewall/cluster.fw
@ -7,7 +7,7 @@ enable: 1

 [RULES]

-IN ACCEPT -i vmbr3 -log nolog # ADMIN
+IN ACCEPT -i vmbr3 -log nolog # STUB
 IN REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
 IN REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp
 OUT REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
@ -17,8 +17,6 @@ OUT DHCPfwd(REJECT) -i vmbr0 -log nolog
 IN DNS(ACCEPT) -i vmbr0 -log nolog
 IN Ping(ACCEPT) -i vmbr0 -log nolog
 IN SSH(ACCEPT) -i vmbr0 -log nolog
-IN ACCEPT -i vmbr0 -p udp -dport 51820 -log nolog # Wireguard
-IN ACCEPT -i vmbr0 -p udp -dport 51821 -log nolog # Wireguard (alt)
 |IN OpenVPN(ACCEPT) -i vmbr0 -log nolog
 IN Web(ACCEPT) -i vmbr0 -log nolog
 IN ACCEPT -i vmbr0 -p udp -dport 22027 -log nolog # syncthing
--- a/ssh/make.sh
+++ b/ssh/make.sh
@ -34,9 +34,6 @@ LAN_GATE=SKIP

 REBOOT=${REBOOT:=1}

-DFL_WAN_SSH_IP=${DFL_WAN_SSH_IP:=}
-xread "WAN ssh ip:" WAN_SSH_IP
-
 readVars


@ -50,7 +47,6 @@ OPTS_STAGE_1="\
 	--swap $SWAP \
 	--net0 name=lan,bridge=vmbr${LAN_BRIDGE},firewall=1,ip=dhcp,type=veth \
 	--net1 name=admin,bridge=vmbr${ADMIN_BRIDGE},firewall=1,ip=dhcp,type=veth \
-	--net2 name=wan,bridge=vmbr${WAN_BRIDGE},firewall=1${WAN_SSH_IP:+,ip=${WAN_SSH_IP}},type=veth \
 	--storage local-lvm \
 	--rootfs local-lvm:$DRIVE \
 	--unprivileged 1 \
--- a/wireguard/assets/root/templates/wg0-client.tpl
+++ b/wireguard/assets/root/templates/wg0-client.tpl
--- a/wireguard/assets/root/templates/server.conf
+++ b/wireguard/assets/root/templates/server.conf
--- a/wireguard/make.sh
+++ b/wireguard/make.sh
@ -52,16 +52,13 @@ xread "Wireguard endpoint port: " ENDPOINT_PORT
 CLIENT_IPS=${CLIENT_IPS:-10.42.0.0/16}
 ALLOWED_IPS=${ALLOWED_IPS:-0.0.0.0/0,${CLIENT_IPS}}

-DNS=${DNS:-${NS_LAN_IP:-${DFL_NS_LAN_IP}}}
-DNS=${DNS/\/*}
-xread "Local network DNS:" DNS
-
 xreadYes "Show profile as QRcode when done?" QRCODE
-QRCODE=${QRCODE:-0}

 readVars


+DNS=${NS_LAN_IP/\/*}
+


 #----------------------------------------------------------------------
@ -106,10 +103,19 @@ echo "# Copying assets..."
 echo "# Setup: wireguard default profile..."
@ lxc-attach $ID -- bash -c "cd /root \
 	&& QRCODE=${QRCODE} make default.client" 
+@ lxc-attach $ID -- chmod 600 /etc/wireguard/wg0.conf

 echo "# client config:"
@ mkdir -p clients
@ pct pull $ID /etc/wireguard/clients/default.conf clients/default.conf
+# show the profile as a qrcode...
+#if [ "$QRCODE" ] ; then
+#	echo "# default profile:"
+#	@ lxc-attach $ID -- qrencode -t UTF8 -r /etc/wireguard/clients/default.conf
+#fi
+
+#echo "# Setup: bridge device..."
+@ lxc-attach $ID wg-quick up wg0 

 echo "# Post config..."
 pctSet $ID "${OPTS_STAGE_2}" $REBOOT
--- a/wireguard/templates/root/Makefile
+++ b/wireguard/templates/root/Makefile
@ -1,10 +1,10 @@

-INTERFACE := wg0
+

 SERVER_DIR := /etc/wireguard/
-SERVER_TPL := templates/server.conf
-SERVER_CLIENT_TPL := templates/client.tpl
-SERVER_CONF := $(SERVER_DIR)/$(INTERFACE).conf
+SERVER_TPL := templates/wg0.conf
+SERVER_CLIENT_TPL := templates/wg0-client.tpl
+SERVER_CONF := $(SERVER_DIR)/wg0.conf
 SERVER_KEY := $(SERVER_DIR)/server_id
 SERVER_PUBLIC_KEY := $(SERVER_DIR)/server_id.pub

@ -26,7 +26,6 @@ ALLOWED_IPS ?= ${ALLOWED_IPS}
 	wg genkey 2> /dev/null > $@
 	chmod 600 $@

-
 %_id.pub: %_id
 	cat $< | wg pubkey > $@

@ -40,9 +39,6 @@ $(SERVER_CONF): $(SERVER_TPL) $(SERVER_KEY)
 			-e 's/\$${\CLIENT_IPS}/$(subst /,\/,$(CLIENT_IPS))/g' \
 			-e 's/\$${\SERVER_PRIVATE_KEY}/'$$(sed -e 's/\//\\\//g' "$(SERVER_KEY)")'/g' \
 		> "$@"
-	chmod 600 $@
-	wg-quick up $(INTERFACE) 
-

 # XXX need to figure out a way to link this to the .config file without 
 # 	conflicting with the server's wg0.conf
@ -68,19 +64,15 @@ $(SERVER_CONF): $(SERVER_TPL) $(SERVER_KEY)
 			-e 's/\$${\CLIENT_PUBLIC_KEY}/'$$(sed -e 's/\//\\\//g' "$(CLIENT_DIR)/$*_id.pub")'/g' \
 			-e 's/\$${\SERVER_PUBLIC_KEY}/'$$(sed -e 's/\//\\\//g' "$(SERVER_PUBLIC_KEY)")'/g' \
 		>> "$(SERVER_CONF)"
-	make update $*.show
-
-
-%.show: $(CLIENT_DIR)/%.conf
-	@ [ "$(QRCODE)" == "1" ] \
-		&& ( echo "# Profile: $*" \
+	@ [ -z "$$QRCODE" ] \
+		|| ( echo "# Profile: $*" \
 			&& qrencode -t UTF8 -r "$(CLIENT_DIR)/$*.conf" )
-	@ cat "$(CLIENT_DIR)/$*.conf"
-	@ echo 


-update:
-	wg syncconf $(INTERFACE) <(wg-quick strip $(INTERFACE))
+
+%.qr: %.client
+	@ ( echo "# Profile: $*" \
+		&& qrencode -t UTF8 -r "$*.conf" )


 server: $(SERVER_CONF)